|
Perhaps using Unicode strings and LPWSTR?
Nuclear launch detected
|
|
|
|
|
How I come to know Pad size and also
from where we shall start reading logs from old to new or from new to old
Thanks
|
|
|
|
|
CHAR Pad[] ??
start reading logs from old to new or from new to old?
read ReadEventLog() in msdn , the second param ,for example: VENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ in code
null
|
|
|
|
|
At work I thought that we'd need a program to trigger on certain events (and then maybe send an email, or so). So I thought I'd write an eventlog-"watcher".
Just had some trouble with finding the extra piece of info related to the event when I came over this section telling me that I should use FormatMessage with files (who's location I can find in the registry related to the eventsource)
Nice - just what I needed to know, thanks
|
|
|
|
|
How can I use this application on PDC to detect each remote logon to the domain and get information about the user
|
|
|
|
|
Hi,
Is there a way to getting it to run on XP pro?
I cant open any windows when building the application.
Neil
|
|
|
|
|
The computer enumeration is very outdated (frankly, is a horror - don't tell anyone I wrote it). So if you write a correct routine to write computer names there, it should work.
|
|
|
|
|
Hi,
when i connect the system from dropdown, and press open button, it is saying
"The RPC server is unavailable."
How can i rectify it?
Thank you in Advance.
Regards,
Pravin.
|
|
|
|
|
1. The computer enumeration needs a complete rewrite using NetAPI...
2. The RPC server is unavailable is one of the multitude of errors returned by various APIs. You have to debug the code in order to see what is the call that triggered this error.
|
|
|
|
|
Hi,
I am using Windows 2000..
I debugged the coding and found it was in the SysMain_WndProc.C file, in
LRESULT*
OnOpen(HWND hWnd, LRESULT *plResult)
and line is
_stprintf(lpszCaption, "Event Log on %s - ", lpszMachineName);
here in _stprintf it goes deep into and asking for Output.C and skipping that gives the Messagebox with 'The RPC server is unavailable.' as message.
Can you help me to solve this?.. i tried with Windows2000.. is there anything special settings to be made?
Thank you in Advance,
Regards,
Pravin.
|
|
|
|
|
Output.c is an internal CRT file.
I doubt C runtime library needs RPC to format the string.
It is one of the next API calls that gives you this message. I don't remember now what OnOpen does, but I suppose it is calling OpenSCManager or OpenEventLog. Either one can return this to you.
If you think the problem is not in code, you have a lot of articles in MSDN (you can start with 'Troubleshooting "RPC Server is Unavailable" in Windows 2000' - Q224370). Please read them, search help on internet etc. - I can't help you just starting from RPC_S_SERVER_UNAVAILABLE.
Don't be afraid to debug. I posted this sample almost 4 years ago. If you get a crash, ok - but this is a valid error message and can be exactly what is happening on your machine.
|
|
|
|
|
Hallo,
I use the Function ReadEventLog with Visual Basic, but it works not with all Servers.
With some Severs I get the error "INVALID_PARAMETER" (ID: 87). I don't
change any parameter!
Have anybody an idee ?
massel
|
|
|
|
|
Thank you for the answer but this was not the reasen, bacause in my Code there stands :
If GetNumberOfEventLogRecords(plngEventLogHwd, _
plngRecordNumber) <> False Then ....
so, this part is ok.
And I get allways the numbers of the Eventlog Records.
but the Funktion
plngRtn = ReadEventLog(plngEventLogHwd, _
plngReadFlags, plngReadRecordOffset, _
pbyteBuffer(0), plngNumBytesToRead, _
plngBytesRead, plngMinNumBytesNeeded)
returns with some servers zero and the LastDllError is 87. The parameter plngMinNumBytesNeeded is zero too.
With other Servers, The parameter plngMinNumBytesNeeded is not zero.
If I call this function again with plngNumBytesToRead=plngMinNumBytesNeeded it works.
I don't know whether the Problem is the Code, may be it is the Server ??
M.Siebel
|
|
|
|
|
Dear Cristian,
thank you for this Resolution - it works!
But not all log files it fails whith the EVENTLOG_SEEK_READ were larger than 2MB and one
log file it didn't failed was larger than 2MB!
So, I don't know, whether the log file-size is the reason.
Many thanks
M.Siebel
|
|
|
|
|
Could you post the solution on the board here? I'm experiencing the same issue -- when I use "EVENTLOG_FORWARDS_READ Or EVENTLOG_SEEK_READ" I get the invalid parameter error. When I use "EVENTLOG_FORWARDS_READ Or EVENTLOG_SEQUENTIAL_READ" it works, but I have to loop through *ALL* event records to read the event record in the middle that I want to read.
Thanks in advance,
TClegg
|
|
|
|
|
Does anybody has an idea how to extract the description string of an event, which is diplayed when opening the properties dialog?
Thanks!
Ralph
|
|
|
|
|
ive just copied the code from my program, i dont have much time so i havent modified. As u can see i save the information into a fiel, but i guess u can ignore it. If u have any problem understanding my writing just write back.
All right??
Mariajo
int GetString(EVENTLOGRECORD *pRecord, FILE **xmlFile, LPSTR source)
{
BOOL f;
FILE *xml;
TCHAR szEvent[256],szBuffer[256], **first_sz;
HMODULE hEvt;
LPTSTR lpP[] = { "", "", "", "", "", "","", "", "","", "", "","", "", "","", "", "","", "", ""};
LPTSTR lpBuf, lib;
LPBYTE pStr;
xml = *xmlFile;
//LPSTR *final_str;
//final_str = (LPSTR *)malloc(pRecord->NumStrings);
if (pRecord->NumStrings )
pStr = (LPBYTE)pRecord + pRecord->StringOffset;
if ( pStr )
{
DWORD i;
for ( i = 0; i < pRecord->NumStrings; i++ )
{
// final_str[i] = pStr;
lpP[i] = pStr;
pStr = strchr( pStr, '\0' ) + 1;
}
}
f = ReadEventSourceInfo( source, szEvent);
if(strchr(szEvent, ';'))
{
int i=0, j, k, num_files=0, last=0;
char *aux, *cad;
aux = szEvent;
while(aux = strchr(aux, ';'))
{
num_files++;
aux++;
}
aux = szEvent;
for(j=0; j<= num_files; j++)
{
int counter =0;
while((szEvent[i]!= ';') && i<sizeof(szevent))
{
="" i++;
="" counter++;
="" }
="" first_sz="(TCHAR" **)malloc(num_files="" *="" (sizeof(szevent)));
="" cad="(char" *)="" malloc(counter+1);
="" for(k="0;" k<counter;="" k++)
="" cad[k]="szEvent[last+k];
" cad[counter]="\0" ;
="" first_sz[j]="cad;
" last="i;
" expandenvironmentstrings(first_sz[j],szbuffer,="" 257);
="" hevt="LoadLibraryEx(szBuffer," null,="" dont_resolve_dll_references="" );
="" load="" the="" event="" message="" file="" dll=""
="" if="" (="" )
="" int="" i="0;
" get="" with="" paramater="" strings="" inserted="" lpbuf="GetEventMessage(" hevt,="" precord-="">EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
if ( lpBuf )
{
for(i=0; i<strlen(lpbuf); i++)
="" {
="" if((lpbuf[i]="="<")" ||="" (lpbuf[i]="="">"))
{
lpBuf[i]='"';
}
}
fprintf(xml, "<description> ");
fputs( lpBuf, xml );
LocalFree( lpBuf );
fprintf(xml, "\n");
return 1;
}
FreeLibrary( hEvt );
}
}
return 1;
}
else
{
ExpandEnvironmentStrings(szEvent,szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
int i;
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
if ( lpBuf )
{
for(i=0; i<strlen(lpbuf); i++)
="" {
=""
="" if((lpbuf[i]="='<')" ||="" (lpbuf[i]="='">'))
lpBuf[i]='"';
}
fprintf(xml, "\n <description> ");
fprintf(xml,"%s\n",lpBuf);
//LocalFree( lpBuf );
fprintf(xml, "\n");
return 1;
}
FreeLibrary( hEvt );
}
}
}
BOOL ReadEventSourceInfo(LPCSTR lpszESName, LPSTR lpszEvent)
{
BOOL fResult = FALSE;
HANDLE hKey;
LONG lResult;
DWORD dwBytesReturned;
TCHAR szKeyName[128];
/* Find the event source key */
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\Security\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\System\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\application\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
goto Exit_ReadEventSourceInfo;
}
}
}
fResult = TRUE; /* Found the registered event source key */
dwBytesReturned = 256;
if ( RegQueryValueEx( hKey, "EventMessageFile", NULL, NULL,
lpszEvent, &dwBytesReturned ) != ERROR_SUCCESS )
lpszEvent[0] = '\0';
Exit_ReadEventSourceInfo:
return( fResult );
}
|
|
|
|
|
// I needed the description text.
// Here is a (hacked) example to print out the full text messages.
// Compiles on VC71
////////////////////////////////////////////////////////////////////
//
// Event_Test.cpp : Defines the entry point for the console application.
//
#define _WIN32_WINNT 0x0400 //Target NT and greater OS
#include <iostream>
#include <tchar.h>
#include <iostream>
#include <afx.h>
using namespace std;
LPSTR GetString(EVENTLOGRECORD *pRecord, LPSTR source);
BOOL ReadEventSourceInfo(LPCSTR lpszESName, LPSTR lpszEvent);
LPSTR GetEventMessage(
HMODULE hDll, /* Handle to the event message file */
DWORD dwEventIndex, /* Index of the event description message */
DWORD dwLanguageID, /* Language ID of the message to retrieve */
LPTSTR *lpInserts );
int _tmain(int argc, _TCHAR* argv[])
{
#define BUFFER_SIZE 40960
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, dwThisRecord;
LPSTR lpmessagetext="";
// Open the Application event log.
h = OpenEventLog( NULL, // use local computer
"System"); // System Log name
if (h == NULL) {
printf("Could not open the System event log.");
return 1;
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
// Get the record number of the oldest event log record.
GetOldestEventLogRecord(h, &dwThisRecord);
// Opening the event log positions the file pointer for this
// handle at the beginning of the log. Read the event log records
// sequentially until the last record has been read.
while (ReadEventLog(h, // event log handle
EVENTLOG_BACKWARDS_READ | // reads from most recent
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
printf("%02d Event ID: %i ",
dwThisRecord++, (short)pevlr->EventID);
printf("EventType: %d Source: %s\n",
pevlr->EventType, (LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD)));
lpmessagetext = GetString(pevlr, ((LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD))));
printf("%s\n", lpmessagetext);
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
}
CloseEventLog(h);
return 0;
}
LPSTR GetString(EVENTLOGRECORD *pRecord, LPSTR source)
{
BOOL f;
TCHAR szEvent[256],szBuffer[256], **first_sz;
HMODULE hEvt;
LPTSTR lpP[] = { "", "", "", "", "", "","", "", "","", "", "","", "", "","", "", "","", "", ""};
LPSTR lpBuf="";
LPTSTR lpstrlpBuf = "";
char* pStr;
if (pRecord->NumStrings ) {
pStr = (char*)((LPBYTE)pRecord + pRecord->StringOffset);
} else {
pStr = "";
}
if ( pStr )
{
DWORD i;
for ( i = 0; i < pRecord->NumStrings; i++ )
{
lpP[i] = (LPSTR)pStr;
pStr = strchr( (char*)pStr, '\0' ) + 1;
}
}
//Get the file name(s) from the registry
f = ReadEventSourceInfo( source, szEvent);
if(strchr(szEvent, ';'))
{
int i=0, j, k, num_files=0, last=0;
char *aux, *cad;
aux = szEvent;
while(aux = strchr(aux, ';'))
{
num_files++;
aux++;
}
aux = szEvent;
for(j=0; j<= num_files; j++)
{
int counter =0;
while((szEvent[i]!= ';') && i ){
i++;
counter++;
}
first_sz= (TCHAR **)malloc(num_files * (sizeof(szEvent)));
cad = (char *) malloc(counter+1);
for(k = 0; k < counter; k++ ){
cad[k] = szEvent[last+k];
}
cad[counter]= '\0';
first_sz[j] = cad;
i++;
last = i;
//Convert the %SystemRoot% stuff
ExpandEnvironmentStrings(first_sz[j],szBuffer, 257);
//We actually have to load an .exe or what not to read the messages
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
}
}
return (lpBuf);
}
else
{
ExpandEnvironmentStrings(szEvent,szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
}
}
return (lpBuf);
}
//
BOOL ReadEventSourceInfo(LPCSTR lpszESName, LPSTR lpszEvent)
{
BOOL fResult = FALSE;
HKEY hKey;
DWORD dwBytesReturned;
TCHAR szKeyName[128];
/* Find the event source key */
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\Security\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\System\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\application\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
goto Exit_ReadEventSourceInfo;
}
}
}
fResult = TRUE; /* Found the registered event source key */
dwBytesReturned = 256;
if ( RegQueryValueEx( hKey, "EventMessageFile", NULL, NULL,
(LPBYTE)lpszEvent, &dwBytesReturned ) != ERROR_SUCCESS )
lpszEvent[0] = '\0';
Exit_ReadEventSourceInfo:
return( fResult );
}
//Format the message
LPSTR GetEventMessage(
HMODULE hDll, /* Handle to the event message file */
DWORD dwEventIndex, /* Index of the event description message */
DWORD dwLanguageID, /* Language ID of the message to retrieve */
LPTSTR *lpInserts ) /* Array of insertion strings */
{
DWORD dwReturn;
LPSTR lpMsgBuf = NULL;
DWORD dwFlags = FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ALLOCATE_BUFFER;
if ( lpInserts )
dwFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
dwReturn = FormatMessage(
dwFlags,
hDll,
dwEventIndex,
dwLanguageID,
(LPTSTR) &lpMsgBuf,
0,
lpInserts );
return( lpMsgBuf );
}
"Never leave your Wingman!"
|
|
|
|
|
For the love of God, close the friggin registry key in the "ReadEventSourceInfo" routine above (unless you like a lot of open handles in your bloated app!)
Add the following line in the "ReadEventSourceInfo" routine above:
}
RegCloseKey(hKey);
fResult = TRUE; /* Found the registered event source key */
"Never leave your Wingman!"
|
|
|
|
|
//found memory was not being free'ed in the example code provided, here is some that works, and I have tested it good. and the loop for the multiple dll's works also (a bug in the example code)
//CEventView is the name of my custom MFC class in case your wondering
void CEventView::DisplayEntries()
{
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[1024];
DWORD dwRead, dwNeeded, dwThisRecord;
LPSTR lpmessagetext = "";
// Open the Application event log.
h = OpenEventLog( ".", // use local computer
"System"); // source name
if (h == NULL)
{TRACE("ERROR COULD NOT OPEN LOG FILE\n");}
// ErrorExit("Could not open the Application event log.");
pevlr = (EVENTLOGRECORD *) &bBuffer;
// Get the record number of the oldest event log record.
GetOldestEventLogRecord(h, &dwThisRecord);
// Opening the event log positions the file pointer for this
// handle at the beginning of the log. Read the event log records
// sequentially until the last record has been read.
TRACE("\n");
while (ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
1024, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
// Print the record number, event identifier, type,
// and source name.
lpmessagetext = GetString(pevlr, ((LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD))));
TRACE("-------------------\n");
TRACE("MSG: %s\n",lpmessagetext);
TRACE("%02d Event ID: 0x%08X ",
dwThisRecord++, pevlr->EventID);
TRACE("EventType: %d Source: %s\n",
pevlr->EventType, (LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD)));
TRACE("-------------------\n");
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
}
CloseEventLog(h);
}
LPSTR CEventView::GetString(EVENTLOGRECORD *pRecord, LPSTR source)
{
BOOL f;
TCHAR szEvent[256],szBuffer[256];//, **first_sz;
ZeroMemory(szEvent,256);
ZeroMemory(szBuffer,256);
HMODULE hEvt;
LPTSTR lpP[] = { "", "", "", "", "", "","", "", "","", "", "","", "", "","", "", "","", "", ""};
LPSTR lpBuf="";
LPTSTR lpstrlpBuf = "";
char* pStr;
if (pRecord->NumStrings ) {
pStr = (char*)((LPBYTE)pRecord + pRecord->StringOffset);
} else {
pStr = "";
}
if ( pStr )
{
DWORD i;
for ( i = 0; i < pRecord->NumStrings; i++ )
{
lpP[i] = (LPSTR)pStr;
pStr = strchr( (char*)pStr, '\0' ) + 1;
}
}
//Get the file name(s) from the registry
f = ReadEventSourceInfo( source, szEvent);
if(strchr(szEvent, ';'))//we have more than 1 dll to resolve
{
CStringArray array;
CString sEntry;
CString s = szEvent;
s += ";";
int iLast=0,iCur=0;
while(iLast != -1)
{
iLast = s.Find(';',iCur);
if(iLast == -1){break;}
sEntry = s.Mid(iCur,iLast-iCur);
array.Add(sEntry);
iCur=iLast+1;
}
for(int i=0; i<array.getcount(); i++)
="" {
="" expandenvironmentstrings(array[i],szbuffer,="" 257);
="" hevt="LoadLibraryEx(szBuffer," null,="" dont_resolve_dll_references="" );
="" *="" load="" the="" event="" message="" file="" dll=""
="" if="" (="" )
="" get="" with="" paramater="" strings="" inserted="" lpbuf="GetEventMessage(" hevt,="" precord-="">EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
return (lpBuf);
}
}
}
else
{
ExpandEnvironmentStrings(szEvent,szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
// Load the event message file DLL
if ( hEvt )
{
// Get the event message with the paramater strings inserted
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
}
}
return (lpBuf);
}
//
BOOL CEventView::ReadEventSourceInfo(LPCSTR lpszESName, LPSTR lpszEvent)
{
BOOL fResult = FALSE;
HKEY hKey;
DWORD dwBytesReturned;
TCHAR szKeyName[128];
/* Find the event source key */
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\Security\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\System\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\application\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
goto Exit_ReadEventSourceInfo;
}
}
}
fResult = TRUE; /* Found the registered event source key */
dwBytesReturned = 256;
if ( RegQueryValueEx( hKey, "EventMessageFile", NULL, NULL,
(LPBYTE)lpszEvent, &dwBytesReturned ) != ERROR_SUCCESS )
lpszEvent[0] = '\0';
Exit_ReadEventSourceInfo:
RegCloseKey(hKey);
return( fResult );
}
//Format the message
LPSTR CEventView::GetEventMessage(
HMODULE hDll, /* Handle to the event message file */
DWORD dwEventIndex, /* Index of the event description message */
DWORD dwLanguageID, /* Language ID of the message to retrieve */
LPTSTR *lpInserts ) /* Array of insertion strings */
{
DWORD dwReturn;
LPSTR lpMsgBuf = NULL;
DWORD dwFlags = FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ALLOCATE_BUFFER;
if ( lpInserts )
dwFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
dwReturn = FormatMessage(
dwFlags,
hDll,
dwEventIndex,
dwLanguageID,
(LPTSTR) &lpMsgBuf,
0,
lpInserts );
return( lpMsgBuf );
}
|
|
|
|
|
Do somone try to run the code for the "security-log"? I got: "Run-Time Check Failure #2 - Stack around the variable 'lpP' was corrupted."
Any idea, what causes the problem?
Here is the code:
>>>>
#include <windows.h>
#include <stdio.h>
#define BUFFER_SIZE 1024*64
static char g_szLogfile[80];
BOOL ReadEventSourceInfo(LPCSTR lpszESName, LPSTR lpszEvent) ;
LPSTR GetEventMessage(
HMODULE hDll, /* Handle to the event message file */
DWORD dwEventIndex, /* Index of the event description message */
DWORD dwLanguageID, /* Language ID of the message to retrieve */
LPTSTR *lpInserts ) /* Array of insertion strings */
{
DWORD dwReturn;
LPSTR lpMsgBuf = NULL;
DWORD dwFlags = FORMAT_MESSAGE_FROM_HMODULE |
FORMAT_MESSAGE_ALLOCATE_BUFFER;
if ( lpInserts )
dwFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
dwReturn = FormatMessage(
dwFlags,
hDll,
dwEventIndex,
dwLanguageID,
(LPTSTR) &lpMsgBuf,
0,
lpInserts );
return( lpMsgBuf );
}
LPSTR GetStringEx(EVENTLOGRECORD *pRecord, LPSTR source)
{
BOOL f;
TCHAR szEvent[256],szBuffer[256], **first_sz;
HMODULE hEvt;
LPTSTR lpP[] = { "", "", "", "", "", "","", "", "","", "", "","", "", "","", "", "","", "", ""};
LPSTR lpBuf="";
LPTSTR lpstrlpBuf = "";
char* pStr;
if (pRecord->NumStrings ) {
pStr = (char*)((LPBYTE)pRecord + pRecord->StringOffset);
} else {
pStr = "";
}
if ( pStr )
{
DWORD i;
for ( i = 0; i < pRecord->NumStrings; i++ )
{
lpP[i] = (LPSTR)pStr;
pStr = strchr( (char*)pStr, '\0' ) + 1;
}
}
//Get the file name(s) from the registry
f = ReadEventSourceInfo( source, szEvent);
if(strchr(szEvent, ';'))
{
int i=0, j, k, num_files=0, last=0;
char *aux, *cad;
aux = szEvent;
while(aux = strchr(aux, ';'))
{
num_files++;
aux++;
}
aux = szEvent;
for(j=0; j<= num_files; j++)
{
int counter =0;
while((szEvent[i]!= ';') && i ){
i++;
counter++;
}
first_sz= (TCHAR **)malloc(num_files * (sizeof(szEvent)));
cad = (char *) malloc(counter+1);
for(k = 0; k < counter; k++ ){
cad[k] = szEvent[last+k];
}
cad[counter]= '\0';
first_sz[j] = cad;
i++;
last = i;
//Convert the %SystemRoot% stuff
ExpandEnvironmentStrings(first_sz[j],szBuffer, 257);
//We actually have to load an .exe or what not to read the messages
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
}
}
return (lpBuf);
}
else
{
ExpandEnvironmentStrings(szEvent,szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
}
}
return (lpBuf);
}
BOOL ReadEventSourceInfo(LPCSTR lpszESName, LPSTR lpszEvent)
{
BOOL fResult = FALSE;
HANDLE hKey;
LONG lResult;
DWORD dwBytesReturned;
TCHAR szKeyName[128];
/* Find the event source key */
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\Security\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\System\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
lstrcpy( szKeyName,
"System\\CurrentControlSet\\Services\\EventLog\\application\\" );
lstrcat( szKeyName, lpszESName );
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, szKeyName, 0, KEY_ALL_ACCESS,
&hKey ) != ERROR_SUCCESS )
{
goto Exit_ReadEventSourceInfo;
}
}
}
fResult = TRUE; /* Found the registered event source key */
dwBytesReturned = 256;
if ( RegQueryValueEx( hKey, "EventMessageFile", NULL, NULL,
lpszEvent, &dwBytesReturned ) != ERROR_SUCCESS )
lpszEvent[0] = '\0';
Exit_ReadEventSourceInfo:
return( fResult );
}
void DisplayEntries( )
{
HANDLE h;
EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
DWORD dwRead, dwNeeded, dwThisRecord;
LPSTR lpmessagetext = "";
char* pStr;
LPTSTR lpP[] = { "", "", "", "", "", "","", "", "","", "", "","", "", "","", "", "","", "", ""};
// Open the Application event log.
h = OpenEventLog( NULL, // use local computer
g_szLogfile); // source name
if (h == NULL)
{
printf("Could not open the Application event log.");
return;
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
// Get the record number of the oldest event log record.
GetOldestEventLogRecord(h, &dwThisRecord);
// Opening the event log positions the file pointer for this
// handle at the beginning of the log. Read the event log records
// sequentially until the last record has been read.
while (ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{
while (dwRead > 0)
{
// Print the record number, event identifier, type,
// and source name.
lpmessagetext = GetStringEx(pevlr, ((LPSTR) ((LPBYTE) pevlr +
sizeof(EVENTLOGRECORD))));
printf("Event source/text/num: [%s]/[%s]/[%d]\n",
(LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD)), lpmessagetext,
pevlr->NumStrings);
if (pevlr->NumStrings ) {
pStr = (char*)((LPBYTE)pevlr + pevlr->StringOffset);
} else {
pStr = "";
}
if ( pStr )
{
DWORD i;
for ( i = 0; i < pevlr->NumStrings; i++ )
{
lpP[i] = (LPSTR)pStr;
pStr = strchr( (char*)pStr, '\0' ) + 1;
printf("--> [%s]\n", pStr);
}
}
dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)
((LPBYTE) pevlr + pevlr->Length);
}
pevlr = (EVENTLOGRECORD *) &bBuffer;
}
CloseEventLog(h);
}
int main(int argc, char * argv[])
{
if (argc!=2)
{
printf("%s [logfile]\n", argv[0]);
exit (0);
}
strcpy(g_szLogfile, argv[1]);
DisplayEntries();
return 1;
}
#if 0
LPSTR GetString(EVENTLOGRECORD *pRecord, LPSTR source)
{
BOOL f;
TCHAR szEvent[256],szBuffer[256];//, **first_sz;
ZeroMemory(szEvent,256);
ZeroMemory(szBuffer,256);
HMODULE hEvt;
LPTSTR lpP[] = { "", "", "", "", "", "","", "", "","", "", "","", "", "","", "", "","", "", ""};
LPSTR lpBuf="";
LPTSTR lpstrlpBuf = "";
char* pStr;
if (pRecord->NumStrings ) {
pStr = (char*)((LPBYTE)pRecord + pRecord->StringOffset);
} else {
pStr = "";
}
if ( pStr )
{
DWORD i;
for ( i = 0; i < pRecord->NumStrings; i++ )
{
lpP[i] = (LPSTR)pStr;
pStr = strchr( (char*)pStr, '\0' ) + 1;
}
}
//Get the file name(s) from the registry
f = ReadEventSourceInfo( source, szEvent);
if(strchr(szEvent, ';'))//we have more than 1 dll to resolve
{
CStringArray array;
CString sEntry;
CString s = szEvent;
s += ";";
int iLast=0,iCur=0;
while(iLast != -1)
{
iLast = s.Find(';',iCur);
if(iLast == -1){break;}
sEntry = s.Mid(iCur,iLast-iCur);
array.Add(sEntry);
iCur=iLast+1;
}
for(int i=0; i
{
ExpandEnvironmentStrings(array[i],szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
return (lpBuf);
}
}
}
else
{
ExpandEnvironmentStrings(szEvent,szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
// Load the event message file DLL
if ( hEvt )
{
// Get the event message with the paramater strings inserted
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
}
}
return (lpBuf);
}
#endif
<<<< End code
|
|
|
|
|
Torben_Surmer wrote: for(int i=0; i
{
ExpandEnvironmentStrings(array[i],szBuffer, 257);
hEvt = LoadLibraryEx(szBuffer, NULL, DONT_RESOLVE_DLL_REFERENCES );
/* Load the event message file DLL */
if ( hEvt )
{
/* Get the event message with the paramater strings inserted */
lpBuf = GetEventMessage( hEvt, pRecord->EventID,
MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), lpP );
FreeLibrary( hEvt );
return (lpBuf);
}
Theres a mangled FOR loop in this code...
it should probably be this:
for(int i=0; i < array.GetCount(); i++)
but other than that this code works, and best of all DOESNT LEAK!
Ivan Bohannon
|
|
|
|
|
Hello!
Actually, I need to know with Visual Basic 6.0 how to watch a printer for documents that have been printed o deleted from the spooler.
I thouhgt that accessing the Windows 2000 Event Log file I could obtain that information, but I can only get a few data and I need more, like document's name, page numbers, user, printer, etc.
Does anyone have an example for me about that?
Thank you!!
|
|
|
|
|
Actually Event log does track some (I don't think all) spooler events. If you want to get more data, I suggest you to query directly the printer(s) targeted.
|
|
|
|
|
I did query directly the printer, but I couldn't know what happend with the document in the spooler, I don't know if it has been deleted, printed, paused, etc. after it disapears from the spooler.
With the info in the Event Log file (SysEvent.Evt), I could do it, but I can only obtain the event, not the info about the document...
I keep on trying...
Thanks!!!!
|
|
|
|
|